clone-page
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/lib/browser.mjsusesexecSyncto perform runtime installation of theplaywrightpackage and Chromium browser. This enables the execution of arbitrary shell commands on the host system.\n- [COMMAND_EXECUTION]: Chromium is launched with the--no-sandboxand--disable-web-securityflags inscripts/lib/browser.mjs. Disabling these security boundaries increases the risk of host compromise when the agent interacts with potentially malicious external websites.\n- [COMMAND_EXECUTION]: Thescripts/lib/init.mjsfile attempts to read a script using a relative path that reaches three levels above its own directory (../../../extract-page-data/...). This behavior attempts to access files outside the skill's defined scope.\n- [COMMAND_EXECUTION]: Thescripts/query.mjsutility is vulnerable to path traversal. Thefilecommand usespath.joinon user-supplied relative paths without sufficient sanitization, which could allow the reading of arbitrary files on the system.\n- [EXTERNAL_DOWNLOADS]: The skill performs automated downloads of the Playwright library and Chromium binaries from official registries. Additionally,scripts/lib/assets.mjsdownloads arbitrary assets (images, fonts, and SVGs) from target URLs identified on the cloned webpages.\n- [REMOTE_CODE_EXECUTION]: Dynamic execution ofnpm installandnpx playwright installat runtime fetches and executes external code. This setup process lacks version pinning and occurs outside of standard package management workflows.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. Ingestion: Untrusted data enters the agent context via browser injection scripts inscripts/inject/extract-skeleton.jsandscripts/inject/extract-section-styles.js. Boundary markers: Absent. Capability inventory: Includes subprocess calls (execSync) inscripts/lib/browser.mjs, file writes inscripts/lib/assets.mjs, and network operations inscripts/lib/assets.mjs. Sanitization: Absent for extracted text content.
Audit Metadata